Case study: “Imminent RATs” (III)

8 de February de 2019 Por

Articles from the series “Case study: “Imminent RATs”: [1] [2] [3]

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format))

Additional analysis

The incident was practically solved in the previous article, but we still have some doubts in the pipeline:

  • What actions did the malware perform on the system?
  • What type of malware is it?

To get out of doubts we execute the document in a specially tuned virtual machine with anti-VM measures, which also has Noriben and Sysmon installed. In addition, we capture the outgoing traffic with WireShark to have as complete a view as possible of what the malware does.
[Read more…]

Case study: “Imminent RATs” (II)

6 de February de 2019 Por
Articles from the series “Case study: “Imminent RATs”:” [1] [2] [3]
[Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)]

Analysis (follow-up)

In the previous article, we had determined there was “something weird” in the computer, and we had downloaded both, a possibly malicious .doc and a user executable and mailbox. It’s time to get down to work to see what they may contain…

[Note: As a good security practice, malicious files should NEVER be shared without minimal protection. Therefore, you can download both files from here, but they are zipped with the password “infected”. Please, handle them with extreme care, you’ve been warned.]

To start with, we can open the user’s .pst to verify that the infection path is correct, something we can easily do from Windows with the Kernel Outlook PST Viewer:
[Read more…]

Business continuity in ISMS?

5 de February de 2019 Por

This article analyzes what has changed in the ISO 27002 series of standards regarding business continuity.

Introduction

This article discusses the possible overlap between two disciplines that are quite related to each other, although each one has its own specific area: information security and business continuity. In particular, it analyzes how the two reference standards (ISO 27001 and ISO 22301) are overlapped or not.

In a separate article I will discuss where the two worlds come together and how the implementation of both standards can be carried out without falling into unnecessary redundancies.
[Read more…]

Case study: “Imminent RATs” (I)

4 de February de 2019 Por

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)).

Incident Response in less than 15 lines

Ultra-fast summary of incident response:

  • Preparation: We prepare ourselves for a possible attack by deploying detection and response measures in the Organization.
  • Detection and analysis: We detect possible attacks and analyze them to determine whether or not they are false positives, and in the event of an attack we analyze its severity.
  • Containment, eradication and recovery: We contain the spread of the attackers through the system, expel them and return the system to normal operation.
  • Post-incident lessons: We analyze the incident in search of measures to improve both the security of the system and the response itself for future incidents.

[Read more…]

(Cyber) GRU (IV): September 2018

1 de February de 2019 Por

Serguei Skripal was a GRU agent who was arrested in 2004. He was accused of collaborating with the British MI6 and sentenced for high treason until 2010, when he was exchanged for Russian agents arrested as part of the ‘Operation Illegal’. Since then, he had lived in the United Kingdom, apparently away from any “annoying” activity linked to his past as a member of the Service. However, in March 2018, he was found unconscious together with his daughter Yulia – she was visiting the United Kingdom – in a bank in Salisbury, allegedly the victim of an attack with Novichok, a Soviet nerve agent. The United Kingdom blames Russia for this attack without much detail.

At the end of June two Britons, a man and a woman, were admitted to the Salisbury District Hospital. An ambulance brought them from Amesbury, a few kilometres from where the former GRU agent and his daughter were poisoned. The investigation confirmed that they had also been poisoned with Novichok, apparently by accident: none of them had any previous connection with what happened in March and, possibly, they found by chance the nerve agent in what appeared to be a bottle of perfume abandoned in a park. The woman died in early July as a result of the effects of the poisoning.

[Read more…]

(Cyber) GRU (III): July 2018

30 de January de 2019 Por

As we have said, if until this year the GRU was one of the most opaque services in the world, in 2018 everything changes. Three facts stand out in the chronography, which conclude with the death of Lieutenant General KOROBOV in November; we will see in this section the first of them -and in the coming ones the other two, which occurred in the month of July.

On July 13, the US Department of Justice (DoJ) publishes [1], a document accusing twelve GRU agents – directly summoned by name and surnames – of possible Russian interference in the 2016 presidential elections. The person signing the document is none other than Robert Mueller, an advisor to the DoJ who coordinates investigations in this area – that of Russia’s relationship with the US presidential elections- and who, among other things, was director of the FBI for more tan ten years. After this accusation, the FBI includes among its “Cyber most wanted” the twelve agents of the service, highlighting that they can be armed and dangerous. Until then, the only Russian service that had the privilege of having agents among the most wanted by the FBI was the FSB. [Read more…]

Artificial intelligence and cybersecurity

29 de January de 2019 Por

The eternal game of cat and mouse between attackers and defenders in the world of cybersecurity has historically involved a constant improvement of the methodologies carried out by both parties. The rapid and innovative development of Artificial Intelligence (AI) is very attractive for the development of new methodologies for both attackers and defenders.

Broadly speaking, AI refers to the learning done by machines or computers, to carry out actions considered as “intelligent”. One of the great challenges of this discipline is to provide them with “human” capabilities so that they can have behaviors similar to ours. One of the branches with the greatest potential today in artificial intelligence is the so-called ‘Machine Learning’. The basic objective of this branch is to “train” the machine so that it is capable of giving an adequate response based on input parameters.

[Read more…]

Cyber (GRU) (II): historical SIGINT

28 de January de 2019 Por

The GRU, Military Unit 44388, obtains and processes intelligence from multiple disciplines, including IMINT, SATINT and, of course OSINT, with information needs linked to the military, political, technological, economic and ecological/energy fields ([1]). It was already indicated in the article dedicated to the GRU, within the series on the Russian Cyberintelligence Community, that the Sixth Directorate of the GRU has historically had the SIGINT (COMINT and ELINT) attributions of the Service. An excellent description of these attributions can be found in [2]; in the image, the historical structure of the GRU:

The Sixth Directorate, which reports directly to the Service’s Deputy Director for Technical Affairs, was divided into four divisions [Read more…]

WIRTE Group attacking the Middle East

25 de January de 2019 Por

The Intelligence Development Group of S2 Grupo has carried out an investigation on an actor from whom LAB52 has not been able to find references or similarities in open sources and who has been identified as WIRTE.

The DFIR (Digital Forensics and Incident Response) team of S2 Grupo first identified this actor in August 2018 and since then the follow-up has been carried out during the last few months.

This group attacks the Middle East and does not use very sophisticated mechanisms, at least in the campaign started in August 2018 which was monitored. It is considered unsophisticated by the fact that the scripts are unobtrusive, communications go unencrypted by HTTP, they use Powershell (increasingly monitored), and so on. Despite this apparently unsophisticated modus operandi compared to other actors, they manage to infect their victims and carry out their objectives. In addition, as will be seen during the report, the detection rate of some of the scripts in December 2018 by the main antivirus manufacturers is low, an aspect that must be highlighted. We must be aware that once these scripts are executed, it is when the behavior analysis of many solutions will detect them, but this fact has not been studied by LAB52.

This actor in all the artifacts analyzed shows his victims a decoy document in Arabic with different themes. During the report these documents will be analyzed and who could be the objectives depending on the topic dealt with in the document. [Read more…]

(Cyber) GRU (I): Introduction

24 de January de 2019 Por

As we already mentioned in the post about it, within the series on the Russian Cyberintelligence Community, the GRU (GU) is the most opaque of the Russian services, maintaining almost intact its Soviet heritage against the “westernized” FSB o SVR: in fact, the structure and operation of the Service has not been especially well known, being the main reference [1] until rather recently. Beyond specific data of operations without a clear attribution, or the identities of its Director and Deputy Directors -no secret-, little or nothing was known about the Service. However, and certainly very much in spite of the GRU, in 2018 there are – up to now – three facts that give a radical turn to this opacity: [Read more…]